[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Using sgid binaries to defend against LD_PRELOAD/ptrace()

Hi Martin,

Martin Pitt wrote:
> One easy solution that comes to my mind is to install those affected
> programs setgid, and drop the additional group immediately after
> program start with setgid(getgid()). For this we should introduce a
> new static group into base-passwd, like "noptrace", to not abuse
> existing groups and not confuse auditing tools.

excuse my ignorance, but is this the hack it sounds like? If so, I would
not be exactly thrilled to see this sprinkled across the distribution
unless it solves a severe problem and there are no alternatives of
"doing things right", which I am not sure is the care here.

Kind regards

Thomas Viehmann, http://thomas.viehmann.net/

Reply to: